Modern Cryptography - Methods and

Uses

cryptog'raphy n. The process or skill
of communicating in or deciphering
secret writings or ciphers.1
So says one dictionary at least. But
cryptography goes beyond
communicating in 'secret writings or
ciphers'.
What is Cryptography?
Most importantly, cryptography entails
security. Cryptography allows you to
make sure your credit card numbers aren't stolen, that no-one
knows your password and that the recipient of a message knows,
indisputably, that you sent it. Cryptography is the encryption and
decryption of information that you want to keep secure.
Who Uses Cryptography?
Governments. Spies. Banks. Credit card companies. You, if you've
ever bought anything online. But do you realise you're using
cryptography? That little lock in the bottom corner of your web
browser shows that you're browsing on a secure site - you're using a
form of cryptography called 'single-key cryptography'. Historically,
it's the most common form. Unfortunately, cryptography suffers the
stigma that it is only used by people with something to hide.
Why Use Cryptography?





Add your Opinion!
There are tens of thousands of h2g2 Guide Entries,
written by our Researchers. If you want to be able
to add your own opinions to the Guide, simply
become a member as an h2g2 Researcher. Tell me
More!

Entry Data
Entry ID: A1315919 (Edited)
Written and Researched by:
Matthew G P Coe

Edited by:
Atlantic_Cable
Date: 08 January 2004


Referenced Guide Entries
GCHQ - Government Communications Headquarters
MI5 - the British Security Service


Related BBC Pages
Spooks


Referenced Sites
Enigma
Because you value your privacy; it's really that simple. Governments
don't want to let classified information out. Banks and credit card
companies are interested in your privacy, so they make sure your
sensitive information is kept secret. You want to use email as you
would snail mail - not as if you are shouting across a crowded room.
A Brief History Of Cryptography
Caesar's Alphabet
The most widely-known form of cryptography is Caesar's Alphabet.
It's a very simple substitution cipher - a letter shift. Every letter in
the alphabet is shifted a certain number of letters to the left. The
most common key is three. Here is the alphabet as we know it,
followed by Caesar's 'encrypted' alphabet:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
Pretty simple, no? As such, the 'cleartext' of 'THIS IS AN
ENCRYPTED MESSAGE' would become the 'ciphertext' of 'WKLV
LV DQ HQFUBSWHG PHVVDJH'.
Can this be a secure cryptography system? It depends on who you're
trying to secure it from. Governments? Not at all. Other people? Not
really. Caesar's Alphabet is a very basic substitution cipher, and
many people break substitution ciphers as a hobby, in the form of
'cryptograms'.
Enigma
Quite a jump - from ancient Rome to World War II. Enigma2 was the
revolutionary cryptography system developed by the German navy
Introduction to SSL
An Introduction to cryptography

Please note that the BBC is not responsible for the content
of any external sites listed.

Most of the content on this site is created by h2g2's Researchers, who are members of the
public. The views expressed are theirs and unless specifically stated are not those of the BBC.
The BBC is not responsible for the content of any external sites referenced. In the event that
you consider anything on this page to be in breach of the site's House Rules, please click here
to alert our Moderation Team. For any other comments, please start a Conversation below.
in order to pass secret messages without the pesky Allies getting the
messages and interfering with the plans. The system was primarily
mechanical and was a stream cipher - every point in the message
affected every later point.
Enigma used a series of electrically-connective wheels to exchange
one letter into another multiple times. Most Enigma machines had
spaces for three wheels, although later incarnations used four
wheels to confound the Allied cryptanalysts. These wheels were
chosen out of only a few possible wheels. The standard Enigma
machine came with five possible wheels. The German Army and Air
Force used a standard wheel set, while the Navy used a set of eight
wheels.
When the user pressed a key on an Enigma machine's keyboard, the
following changes occurred:
The rightmost wheel moved forward one position. This
achieved Enigma's stream-based property.
The keypress went (if necessary) through the plugboard. Each
letter could be exchanged with another letter with the
plugboard. The plugboard itself was reciprocal - If A changed
to F, then F changed to A.
Next, the current entered the first wheel. Each wheel
randomly connected each input letter to a different output
letter. The wheels themselves were not reciprocal, adding a
decent degree of security to the system.
The current then passed through the next two wheels in the
same fashion as the first wheel.
The current then entered the 'reflector' This wheel returned
the current back through the path it originally took (through
each wheel and the plugboard in reverse order), but through
a different input letter. The reflector added multiple layers of
difficulty to cryptanalysis (if, of course, the cryptanalyst did
not have an Enigma machine).
The current then lit up the appropriate light on the machine's
display. This displayed the letter to be written down and
transmitted.
Enigma itself was a reciprocal cryptography system - provided that
the machine had been reset, all one needed to do to decrypt a
message was to enter the ciphertext into the keyboard, and the
cleartext would be output on the display.
DES - The Data Encryption Standard
The history of DES3 is long and convoluted, but in short it
successfully brought cryptography out of strictly governmental use
and into the commercial market. Originally known as Lucifer and
developed at IBM, DES was IBM's attempt to form a virtual
monopoly in the digital world. If IBM could introduce cryptography
to the consumer, then everyone would use their solution. IBM's first
customer would be the various banks, with the revised, all-hardware
version of Lucifer known as DSD-1.
Unfortunately, the National Security Agency (otherwise known as
No Such Agency - the NSA) decided that commercial cryptography
could be detrimental to national security and informed IBM that
DSD-1 would require the NSA's stamp of approval before it could be
shipped worldwide. IBM consented and submitted DSD-1 for
approval.
Cracking DSD-1 proved to be a harder task for the NSA than
originally expected. An attack upon ciphertext known as a 'T attack',
which would attempt to force open the ciphertext and reveal the key
by attempting various mathematical formulae, proved useless - IBM
had somehow discovered this previously-classified method and
redesigned Lucifer, taking this particular attack into account. The
NSA forced IBM to classify all information regarding DSD-1 and
Lucifer.
The NSA did have one idea for DSD-1 that would make IBM baulk -
the key length itself. The original specification for Lucifer involved a
128-bit key. That might seem paltry, but consider this - 128 bits
means that for each of those 128 positions, there are two choices. A
two-bit key has a 'keyspace' of four possible keys. A three-bit key has
eight. A key of this length has a monstrously large keyspace -
approximately 3.4x10
38
(a mind-bendingly large number) possible
keys. Assuming a computer could try a billion different keys in a
single second, it would still take over ten quintillion millennia to try
the entire keyspace. A key length of 128 bits, assuming the
cryptography system is only vulnerable to such an attack (known as
a 'brute force' attack) would be virtually unbreakable using modern
computers. NSA insisted that the key length be reduced to only 56
bits. A 56-bit key may be just under half as long, but it is orders of
magnitude simpler to force open (A key requiring half the time to
brute force would be 127 bits long). This recommended key would
take the same computer just over only two years to break. The NSA,
of course, even at the time that DSD-1 was under development (circa
1974), must have had supercomputers significantly more powerful
than this, in order to be comfortable with a keyspace of 56 bits.
IBM relented on the key length, and DSD-1 became DES. The NSA
controlled the export of DES beyond the US borders, but it became
enormously popular within the country. DES did just what IBM had
hoped - it introduced cryptography to the consumer.
Modern Cryptography Systems
Since the development and publication of DES, cryptography has
become enormously popular. Numerous cryptography systems (or
algorithms, as they are better known today) have been developed for
various purposes. Generally, they all benefit cryptography and
privacy in one way or another.
Types of Ciphers
Substitution Ciphers
Substitution ciphers are the most simple, because they switch one
letter for another, throughout the length of a message. They are
easily broken by analysing the frequency of letters in the ciphertext
and applying the most commonly-used letters in the appropriate
places.
Reciprocal Ciphers
Reciprocal ciphers encompass more cryptography systems, and can
make a system either less secure or more usable. A reciprocal cipher
means, just as one enters the cleartext into the cryptography system
to get the ciphertext, one could enter the ciphertext into the same
place in the system to get the cleartext. Using a reciprocal
substitution is a form of cryptographic suicide - it makes the cipher
half as difficult to break. However, if Enigma weren't reciprocal, it
would have been significantly more difficult to implement.
Symmetric Ciphers
For a long time, symmetric ciphers were the only form of
cryptography available. A symmetric cipher uses the same key for
encryption and decryption. Generally, symmetric ciphers are no less
secure than asymmetric ciphers, since, in most modern
cryptography systems, securing the key is more important than
securing the cryptography system itself.
Asymmetric Ciphers
An asymmetric cipher4 is another name for a 'split-key' algorithm.
Very few split-key algorithms exist in the world of cryptography. The
concept of split-key cryptography emerged in 1975. It revolutionised
cryptography, as not only could the recipient of a message know that
only he could read the contents, but that the message also could
have come only from the sender. Each key, however has a dual
purpose.
The Keys
The public and private keys have a very special property -
they are complementary to each other. In order to reverse the
effects of one key, the other must be applied to the ciphertext.
The Public Key
The public key is, well, public. It is distributed to anyone and
everyone. Anyone is allowed to see a person's public key.
The Private Key
The private key, as you might expect, is private. It is not
distributed at all.
How They're Used
Securing Message Data
The sender (Alice) of the message has the recipient's (Bob)
public key. Alice then applies that public key to the message
and sends it on its way. Anyone receiving the message will see
only garble. Bob, however, has his own private key. He
applies this private key to the ciphertext and voila! the
cleartext appears.
Signing a message
Suppose that isn't enough. Suppose Alice wants Bob to be
absolutely sure that the message was sent by her. Merely
writing 'Love, Alice' at the bottom of the message isn't good
enough - anyone could write that. How will she guarantee
that Bob will know that she wrote it? By applying her own
private key to the message. Anyone that has her public key
will be able to verify that Alice wrote the message. Now, Bob
can rest assured that Alice wrote the message, because it's
been encrypted with her private key. He also knows that only
he can read the message, because it's also been encrypted
with his own public key.
Popular Titles in Cryptography
SSL
SSL5 isn't a revolutionary cryptography system. It's actually a means
of implementing cryptography into a web browser. SSL stands for
Secure Sockets Layer and it's absolutely crucial for e-commerce.
The operation of SSL lies somewhere between simple and
complicated. It relies on an asymmetric cipher to assure that the
server computer in question belongs to the company it claims it does
and a symmetric cipher to proceed with encrypted communication.
The client/your computer sends a batch of data to the server.
This includes the version of SSL your browser uses (at the
time of writing, we're up to version 3.0), some cipher settings
(what algorithms the browser understand), some random
data and various other titbits of information necessary for the
session.
The server/their computer sends back a bunch of data. It's
pretty much the same kind of stuff, but it also includes the
server's Authentication Certificate. If the people running the
server have decided that they'd like the client's certificate, the
server asks for that.
The client makes sure that the server's certificate is valid.
This is a weird, complicated process, but it basically involves
making sure that the client trusts the company who has said
that the server is what it says it is. If this can't be done, the
browser warns the user and abandons all hope of establishing
secure communication.
The client creates a 'premaster secret' based on everything
that has been transmitted so far. It then encrypts the
premaster with the server's public key (it came with the
certificate) and sends it off. If the server wants the client's
certificate, it signs this data first and sends its own certificate
along for the ride.
If the server wants the client's certificate, it authenticates the
client. If this can't be done, the server stops trying to secure
the transmission. If it works, the server generates the 'master
secret' from the premaster (after having applied its private
key to the premaster). The client has performed the same
operation. Now both computers have the same master secret.
That master secret is used to generate the 'session keys'.
These keys are only good once, because they're based on
information decided at the beginning of the session. They're
symmetric and used not only to encrypt and decrypt data, but
also to verify that the data hasn't been changed during
transmission.
The client sends a message to the server saying that all future
transmissions will use the session key and that it's done with
this 'handshake'. The server sends a similar message.
At this point, all the information sent between the client and the
server can only be read by those two machines. Credit card
numbers, passwords, you name it - they can't be read by
eavesdroppers.
PGP
PGP (otherwise known as 'Pretty Good Privacy'), like SSL, isn't a
cryptographygraphic algorithm in and of itself, but a wrapper
around cryptography. Phil Zimmermann began developing the PGP
software in the mid-eighties in a political attack against the anti-
cryptography movements of the government6.
PGP implements a number of asymmetric and symmetric
algorithms in order to safely and securely encrypt and decrypt your
email, depending on the contents of your certificate. This certificate
includes your public key and your preferred symmetric algorithm.
PGP uses any one of CAST, IDEA and TripleDES (DES applied three
times) to encrypt the message (Recent versions seem to prefer CAST
and TripleDES over IDEA as the former two are patent-free). The
software encrypts using the following steps:
The message is compressed. This is done as a safeguard
against potential flaws in the encryption algorithm.
A session key is randomly generated, using keystrokes and
mouse movements as its basis.
The compressed message is then encrypted using the
recipient's choice of the three previously-mentioned
algorithms. All three are symmetric algorithms.
The session key is encrypted using the recipient's public key.
Now, only the recipient can decrypt the message.
PGP is quite simple in theory. The actual algorithms used are what
made this software package difficult to write. Decryption operates in
the opposite direction - the session key is decrypted with the
recipient's private key, then the compressed message is decrypted
using the appropriate algorithm, then PGP decompresses the
message7.
Conclusion
The benefits of using cryptography should be relatively obvious -
your private messages are kept private and you can be quite sure
that your mail has been sent by the person who claims to have sent
it. Privacy and peace of mind, plain and simple.
Of course, communication isn't the only thing cryptography can be
used for. A controversial concept called 'digital rights management'
can benefit from digital signatures - record companies can digitally
sign songs that they don't mind being distributed and if a piece of
music without the appropriate signature arrives on a person's hard
drive, their music software could refuse to play it. Additionally,
these digital signatures could be used to sign important documents
in Adobe's Portable Document Format (also known as PDF). This
could greatly speed up various legal or bureaucratic situations.
Cryptography, it could therefore be argued, is a necessity in today's
'digital age'. Governments may complain that, with widespread use
of cryptography, national security will be threatened. On the other
hand, what good is national security if the population has to give up
their personal security? The Bush administration has taken pains to
promote national security at the expense of personal privacy. This
defeats the efforts that numerous mathematicians and programmers
have taken to promote peace of mind in the coming era - and could
make e-commerce, among many other behaviours on the internet,
just as dangerous as it was only five years ago.
Explore cryptography today!
Glossary
algorithm - a plan for the manipulation of data within a
computer.
asymmetric cipher - a cipher that requires one key to
encrypt and another to decrypt.
bit - a single unit of data storage in a computer. Has an 'on'
or 'off' state.
brute force attack - an attack on a cryptography system
that attempts to determine the key used for encryption by
attempting to decrypt the message using every possible key.
cipher - a particular cryptography system.
ciphertext - the output generated by encryption.
cleartext - a readable message. Also called plaintext.
cryptanalysis - the analysis of ciphertext in an attempt to
determine the cleartext.
cryptanalyst - one who performs cryptanalysis.
cryptogram - a puzzle wherein a hidden message is encoded
using a basic substitution cipher.
cryptography - the process or skill of communicating in or
deciphering secret writings or ciphers.
decipher - see decrypt.
decrypt - to apply a known key to ciphertext in order to
retrieve the cleartext.
DES - The Data Encryption Standard. Developed by IBM
with the NSA in the mid-1970s.
e-commerce - commerce done over the internet.
encrypt - to apply a known key to a message in order to turn
the message into ciphertext.
Enigma - a type of electromechanical cryptographygraphic
machine developed and used by the German military in the
Second World War.
keyspace - all possible keys for a particular cryptography
system. Typically measured in bit length.
Lucifer - the original, internal name of DES.
National Security Agency (NSA) - the US governmental
body involving cryptanalysis and cryptography.
PGP - Pretty Good Privacy. Software program for using
cryptography within email.
reciprocal cipher - a substitution cipher wherein each
ciphertext letter's cleartext letter reverses - if a ciphertext 'A'
becomes a cleartext 'F', a ciphertext 'F' becomes a cleartext
'A'.
substitution cipher - a simple cipher that replaces each
instance of a particular cleartext letter with a matching
ciphertext letter - all cleartext 'A's would become ciphertext
'F's.
symmetric cipher - a cipher that uses the same key for
encryption and decryption.

1 'cryptography'. The American Heritage Dictionary of the English Language,
Fourth Edition. 16 May 2001.
2 Hamer, David. 'Enigma'. 20 January 2003.
3 Levy, Steven, 'The Standard', Cryptography - How the Code Rebels Beat the
Government-Saving Privacy in the Digital Age. Penguin: Toronto, 2001.
4 Levy, Steven. 'Public Key'. Cryptography - How the Code Rebels Beat the
Government-Saving Privacy in the Digital Age. Penguin: Toronto, 2001.
5 Netscape Communications Corporation. 'Introduction to SSL'. 23 January 2003.
6 Levy, Steven. 'cryptography Anarchy'. cryptography - How the Code Rebels Beat
the Government - Saving Privacy in the Digital Age. Penguin: Toronto, 2001.
7 Information on this can be found - in PDF format - in An Introduction to
cryptography. The PGPi Project. 23 January 2003.


Discuss this Entry
People have been talking about this Guide Entry. Here are the most
recent Conversations:
Book recommendation (Last Posting: Jan 20, 2004)
Off topic: (Last Posting: Jan 9, 2004)
Cryptography legalities (Last Posting: Jan 9, 2004)
"The Code Book" (Last Posting: Jan 8, 2004)



BBC MMII
Terms & Conditions | Privacy
Modern Cryptography - Methods and Uses
Created Jan 8, 2004 | Updated Jun 24, 2013
4 Conversations

cryptog'raphy n. The process or skill of communicating in or deciphering secret writings or ciphers.
1

So says one dictionary at least. But cryptography goes beyond communicating in 'secret writings or ciphers'.
What is Cryptography?
Most importantly, cryptography entails security. Cryptography allows you to make sure your credit card numbers aren't stolen, that no one
knows your password and that the recipient of a message knows, indisputably, that you sent it. Cryptography is the encryption and
decryption of information that you want to keep secure.
Who Uses Cryptography?
Governments. Spies. Banks. Credit card companies. You, if you've ever bought anything online. But do you realise you're using
cryptography? That little lock in the bottom corner of your web browser shows that you're browsing on a secure site - you're using a form of
cryptography called 'single-key cryptography'. Historically, it's the most common form. Unfortunately, cryptography suffers the stigma that it
is only used by people with something to hide.
Why Use Cryptography?
Because you value your privacy; it's really that simple. Governments don't want to let classified information out. Banks and credit card
companies are interested in your privacy, so they make sure your sensitive information is kept secret. You want to use email as you would
snail mail - not as if you are shouting across a crowded room.
A Brief History Of Cryptography
Caesar's Alphabet
The most widely-known form of cryptography is Caesar's Alphabet. It's a very simple substitution cipher - a letter shift. Every letter in the
alphabet is shifted a certain number of letters to the left. The most common key is three. Here is the alphabet as we know it, followed by
Caesar's 'encrypted' alphabet:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
Pretty simple, no? As such, the 'cleartext' of 'THIS IS AN ENCRYPTED MESSAGE' would become the 'ciphertext' of 'WKLV LV DQ
HQFUBSWHG PHVVDJH'.
Can this be a secure cryptography system? It depends on who you're trying to secure it from. Governments? Not at all. Other people? Not
really. Caesar's Alphabet is a very basic substitution cipher, and many people break substitution ciphers as a hobby, in the form of
'cryptograms'.
Enigma
Quite a jump - from ancient Rome to World War II. Enigma
2
was the revolutionary cryptography system developed by the German navy in
order to pass secret messages without the pesky Allies getting the messages and interfering with the plans. The system was primarily
mechanical and was a stream cipher - every point in the message affected every later point.
Enigma used a series of electrically-connective wheels to exchange one letter into another multiple times. Most Enigma machines had
spaces for three wheels, although later incarnations used four wheels to confound the Allied cryptanalysts. These wheels were chosen out
of only a few possible wheels. The standard Enigma machine came with five possible wheels. The German Army and Air Force used a
standard wheel set, while the Navy used a set of eight wheels.
When the user pressed a key on an Enigma machine's keyboard, the following changes occurred:
The rightmost wheel moved forward one position. This achieved Enigma's stream-based property.
The keypress went (if necessary) through the plugboard. Each letter could be exchanged with another letter using the plugboard. The
plugboard itself was reciprocal - if A changed to F, then F changed to A.
Next, the current entered the first wheel. Each wheel randomly connected each input letter to a different output letter. The wheels
themselves were not reciprocal, adding a decent degree of security to the system.
The current then passed through the next two wheels in the same fashion as the first wheel.
The current then entered the 'reflector' This wheel returned the current back through the path it originally took (through each wheel and the
plugboard in reverse order), but through a different input letter. The reflector added multiple layers of difficulty to cryptanalysis (if, of course,
the cryptanalyst did not have an Enigma machine).
The current then lit up the appropriate light on the machine's display. This displayed the letter to be written down and transmitted.
Enigma itself was a reciprocal cryptography system - provided that the machine had been reset, all one needed to do to decrypt a message
was to enter the ciphertext into the keyboard, and the cleartext would be output on the display.
DES - The Data Encryption Standard
The history of DES
3
is long and convoluted, but in short it successfully brought cryptography out of strictly governmental use and into the
commercial market. Originally known as Lucifer and developed at IBM, DES was IBM's attempt to form a virtual monopoly in the digital
world. If IBM could introduce cryptography to the consumer, then everyone would use their solution. IBM's first customer would be the
various banks, with the revised, all-hardware version of Lucifer known as DSD-1.
Unfortunately, the National Security Agency (otherwise known as No Such Agency - the NSA) decided that commercial cryptography could
be detrimental to national security and informed IBM that DSD-1 would require the NSA's stamp of approval before it could be shipped
worldwide. IBM consented and submitted DSD-1 for approval.
Cracking DSD-1 proved to be a harder task for the NSA than originally expected. An attack upon ciphertext known as a 'T attack', which
would attempt to force open the ciphertext and reveal the key by attempting various mathematical formulae, proved useless - IBM had
somehow discovered this previously-classified method and redesigned Lucifer, taking this particular attack into account. The NSA forced
IBM to classify all information regarding DSD-1 and Lucifer.
The NSA did have one idea for DSD-1 that would make IBM baulk - the key length itself. The original specification for Lucifer involved a
128-bit key. That might seem paltry, but consider this - 128 bits means that for each of those 128 positions, there are two choices. A two-bit
key has a 'keyspace' of four possible keys. A three-bit key has eight. A key of this length has a monstrously large keyspace - approximately
3.410
38
(a mind-bendingly large number) possible keys. Assuming a computer could try a billion different keys in a single second, it would
still take over ten quintillion millennia to try the entire keyspace. A key length of 128 bits, assuming the cryptography system is only
vulnerable to such an attack (known as a 'brute force' attack) would be virtually unbreakable using modern computers. NSA insisted that
the key length be reduced to only 56 bits. A 56-bit key may be just under half as long, but it is orders of magnitude simpler to force open (A
key requiring half the time to brute force would be 127 bits long). This recommended key would take the same computer just over only two
years to break. The NSA, of course, even at the time that DSD-1 was under development (circa 1974), must have had supercomputers
significantly more powerful than this, in order to be comfortable with a keyspace of 56 bits.
IBM relented on the key length, and DSD-1 became DES. The NSA controlled the export of DES beyond the US borders, but it became
enormously popular within the country. DES did just what IBM had hoped - it introduced cryptography to the consumer.
Modern Cryptography Systems
Since the development and publication of DES, cryptography has become enormously popular. Numerous cryptography systems (or
algorithms, as they are better known today) have been developed for various purposes. Generally, they all benefit cryptography and privacy
in one way or another.
Types of Ciphers
Substitution Ciphers
Substitution ciphers are the most simple, because they switch one letter for another, throughout the length of a message. They are easily
broken by analysing the frequency of letters in the ciphertext and applying the most commonly-used letters in the appropriate places.
Reciprocal Ciphers
Reciprocal ciphers encompass more cryptography systems, and can make a system either less secure or more usable. A reciprocal cipher
means, just as one enters the cleartext into the cryptography system to get the ciphertext, one could enter the ciphertext into the same
place in the system to get the cleartext. Using a reciprocal substitution is a form of cryptographic suicide - it makes the cipher half as
difficult to break. However, if Enigma weren't reciprocal, it would have been significantly more difficult to implement.
Symmetric Ciphers
For a long time, symmetric ciphers were the only form of cryptography available. A symmetric cipher uses the same key for encryption and
decryption. Generally, symmetric ciphers are no less secure than asymmetric ciphers, since, in most modern cryptography systems,
securing the key is more important than securing the cryptography system itself.
Asymmetric Ciphers
An asymmetric cipher
4
is another name for a 'split-key' algorithm. Very few split-key algorithms exist in the world of cryptography. The
concept of split-key cryptography emerged in 1975. It revolutionised cryptography, as not only could the recipient of a message know that
only he could read the contents, but that the message also could have come only from the sender. Each key, however has a dual purpose.
The Keys
The public and private keys have a very special property - they are complementary to each other. In order to reverse the effects of one key,
the other must be applied to the ciphertext.
The Public Key
The public key is, well, public. It is distributed to anyone and everyone. Anyone is allowed to see a person's public key.
The Private Key
The private key, as you might expect, is private. It is not distributed at all.
How They're Used
Securing Message Data
The sender (Alice) of the message has the recipient's (Bob) public key. Alice then applies that public key to the message and sends it on its
way. Anyone receiving the message will see only garble. Bob, however, has his own private key. He applies this private key to the
ciphertext and voila! the cleartext appears.
Signing a message
Suppose that isn't enough. Suppose Alice wants Bob to be absolutely sure that the message was sent by her. Merely writing 'Love, Alice'
at the bottom of the message isn't good enough - anyone could write that. How will she guarantee that Bob will know that she wrote it? By
applying her own private key to the message. Anyone that has her public key will be able to verify that Alice wrote the message. Now, Bob
can rest assured that Alice wrote the message, because it's been encrypted with her private key. He also knows that only he can read the
message, because it's also been encrypted with his own public key.
Popular Titles in Cryptography
SSL
SSL
5
isn't a revolutionary cryptography system. It's actually a means of implementing cryptography into a web browser. SSL stands for
Secure Sockets Layer and it's absolutely crucial for e-commerce.
The operation of SSL lies somewhere between simple and complicated. It relies on an asymmetric cipher to assure that the server
computer in question belongs to the company it claims it does and a symmetric cipher to proceed with encrypted communication.
The client/your computer sends a batch of data to the server. This includes the version of SSL your browser uses (at the time of writing,
we're up to version 3.0), some cipher settings (what algorithms the browser understand), some random data and various other titbits of
information necessary for the session.
The server/their computer sends back a bunch of data. It's pretty much the same kind of stuff, but it also includes the server's
Authentication Certificate. If the people running the server have decided that they'd like the client's certificate, the server asks for that.
The client makes sure that the server's certificate is valid. This is a weird, complicated process, but it basically involves making sure that
the client trusts the company who has said that the server is what it says it is. If this can't be done, the browser warns the user and
abandons all hope of establishing secure communication.
The client creates a 'premaster secret' based on everything that has been transmitted so far. It then encrypts the premaster with the
server's public key (it came with the certificate) and sends it off. If the server wants the client's certificate, it signs this data first and sends
its own certificate along for the ride.
If the server wants the client's certificate, it authenticates the client. If this can't be done, the server stops trying to secure the transmission.
If it works, the server generates the 'master secret' from the premaster (after having applied its private key to the premaster). The client has
performed the same operation. Now both computers have the same master secret.
That master secret is used to generate the 'session keys'. These keys are only good once, because they're based on information decided
at the beginning of the session. They're symmetric and used not only to encrypt and decrypt data, but also to verify that the data hasn't
been changed during transmission.
The client sends a message to the server saying that all future transmissions will use the session key and that it's done with this
'handshake'. The server sends a similar message.
At this point, all the information sent between the client and the server can only be read by those two machines. Credit card numbers,
passwords, you name it - they can't be read by eavesdroppers.
PGP
PGP (otherwise known as 'Pretty Good Privacy'), like SSL, isn't a cryptographic algorithm in and of itself, but a wrapper around
cryptography. Phil Zimmermann began developing the PGP software in the mid-eighties in a political attack against the anti-cryptography
movements of the government
6
.
PGP implements a number of asymmetric and symmetric algorithms in order to safely and securely encrypt and decrypt your email,
depending on the contents of your certificate. This certificate includes your public key and your preferred symmetric algorithm. PGP uses
any one of CAST, IDEA and TripleDES (DES applied three times) to encrypt the message (Recent versions seem to prefer CAST and
TripleDES over IDEA as the former two are patent-free). The software encrypts using the following steps:
The message is compressed. This is done as a safeguard against potential flaws in the encryption algorithm.
A session key is randomly generated, using keystrokes and mouse movements as its basis.
The compressed message is then encrypted using the recipient's choice of the three previously-mentioned algorithms. All three are
symmetric algorithms.
The session key is encrypted using the recipient's public key. Now, only the recipient can decrypt the message.
PGP is quite simple in theory. The actual algorithms used are what made this software package difficult to write. Decryption operates in the
opposite direction - the session key is decrypted with the recipient's private key, then the compressed message is decrypted using the
appropriate algorithm, then PGP decompresses the message
7
.
Conclusion
The benefits of using cryptography should be relatively obvious - your private messages are kept private and you can be quite sure that
your mail has been sent by the person who claims to have sent it. Privacy and peace of mind, plain and simple.
Of course, communication isn't the only thing cryptography can be used for. A controversial concept called 'digital rights management' can
benefit from digital signatures - record companies can digitally sign songs that they don't mind being distributed and if a piece of music
without the appropriate signature arrives on a person's hard drive, their music software could refuse to play it. Additionally, these digital
signatures could be used to sign important documents in Adobe's Portable Document Format (also known as PDF). This could greatly
speed up various legal or bureaucratic situations.
Cryptography, it could therefore be argued, is a necessity in today's 'digital age'. Governments may complain that, with widespread use of
cryptography, national security will be threatened. On the other hand, what good is national security if the population has to give up their
personal security? The Bush administration has taken pains to promote national security at the expense of personal privacy. This defeats
the efforts that numerous mathematicians and programmers have taken to promote peace of mind in the coming era - and could make e-
commerce, among many other behaviours on the internet, just as dangerous as it was only five years ago.
Explore cryptography today!
Glossary
algorithm - a plan for the manipulation of data within a computer.
asymmetric cipher - a cipher that requires one key to encrypt and another to decrypt.
bit - a single unit of data storage in a computer. Has an 'on' or 'off' state.
brute force attack - an attack on a cryptography system that attempts to determine the key used for encryption by attempting to decrypt
the message using every possible key.
cipher - a particular cryptography system.
ciphertext - the output generated by encryption.
cleartext - a readable message. Also called plaintext.
cryptanalysis - the analysis of ciphertext in an attempt to determine the cleartext.
cryptanalyst - one who performs cryptanalysis.
cryptogram - a puzzle wherein a hidden message is encoded using a basic substitution cipher.
cryptography - the process or skill of communicating in or deciphering secret writings or ciphers.
decipher - see decrypt.
decrypt - to apply a known key to ciphertext in order to retrieve the cleartext.
DES - The Data Encryption Standard. Developed by IBM with the NSA in the mid-1970s.
e-commerce - commerce done over the internet.
encrypt - to apply a known key to a message in order to turn the message into ciphertext.
Enigma - a type of electromechanical cryptographic machine developed and used by the German military in the Second World War.
keyspace - all possible keys for a particular cryptography system. Typically measured in bit length.
Lucifer - the original, internal name of DES.
National Security Agency (NSA) - the US governmental body involving cryptanalysis and cryptography.
PGP - Pretty Good Privacy. Software program for using cryptography within email.
reciprocal cipher - a substitution cipher wherein each ciphertext letter's cleartext letter reverses - if a ciphertext 'A' becomes a cleartext 'F',
a ciphertext 'F' becomes a cleartext 'A'.
substitution cipher - a simple cipher that replaces each instance of a particular cleartext letter with a matching ciphertext letter - all
cleartext 'A's would become ciphertext 'F's.
symmetric cipher - a cipher that uses the same key for encryption and decryption.
1
'cryptography'. The American Heritage Dictionary of the English Language, Fourth Edition. 16 May 2001.
2
Hamer, David. 'Enigma'. 20
January 2003.
3
Levy, Steven, 'The Standard', Cryptography - How the Code Rebels Beat the Government-Saving Privacy in the Digital Age.
Penguin: Toronto, 2001.
4
Levy, Steven. 'Public Key'. Cryptography - How the Code Rebels Beat the Government-Saving Privacy in the
Digital Age. Penguin: Toronto, 2001.
5
Netscape Communications Corporation. 'Introduction to SSL'. 23 January 2003.
6
Levy, Steven.
'cryptography Anarchy'. cryptography - How the Code Rebels Beat the Government - Saving Privacy in the Digital Age. Penguin: Toronto,
2001.
7
Information on this can be found - in PDF format - in An Introduction to cryptography. The PGPi Project. 23 January 2003.


Bookmark on your Personal Space

Conversations About This Entry
Sign in to start a conversation
Title
Latest Post
Book recommendation
Jan 20, 2004
Off topic:
Jan 9, 2004
Cryptography legalities
Jan 9, 2004
"The Code Book"
Jan 8, 2004